Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

12/12/2019
10:15 AM
100%
0%

Lessons from the NSA: Know Your Assets

Chris Kubic worked at the National Security Agency for the past 32 years, finishing his tenure as CISO. He talks about lessons learned during his time there and what they mean for the private sector.

Over the past decade, Chris Kubic has worked to secure the US intelligence community's information systems and environment, architected the National Security Agency's cloud infrastructure, and, for his past three years, led the agency's network-security efforts as the chief information security officer. 

His lessons for public companies? Focus on your assets. Not enough companies know what is in their environments — the first step to knowing what to protect, he says.

"Securing the NSA is not that much different to securing a large, complex environment in the commercial sector," he says. "It comes down to this: You just need to be good with the basic blocking and tackling of cybersecurity. What I mean by that is you really need to start out by gaining a very firm understanding of the environment that you are trying to secure."

Kubic, who joined Fidelis Cybersecurity in October, spent 32 years at the NSA, working his way up from a security project engineer to CISO. During that time, the National Security Agency has had many successes but quite a few high-profile information-security failures, from the massive leak of operational data and tools by contractor Edward Snowden to the overreach of a surveillance program that Congress is now calling to end. In July, NSA director General Paul Nakasone argued for the agency to refocus on cybersecurity, following years of reportedly failing to prioritize the discipline

While Kubic would not discuss the details of his time at the NSA, he did discuss his thoughts on cybersecurity strategy that could be applied to the private sector. A key component of that is situational awareness, he says.

"You need to understand all your assets that are part of the enterprise that you are securing," Kubic says. "You need to understand how those assets are configured, where they are deployed, how they are connected, how they are patched and updated — all those kinds of details are important when you are trying to secure your domain."

With nation-states continuing to develop their capabilities, assistance from the government will become increasingly important, he says. The government has a lot to offer companies, he adds.

"Coming from the government, not surprisingly, I think it is a good idea to have more government involvement to defend nations' networks," Kubic says. "It gets a little dicey when you are talking about private industry, and it's really hard to mandate government involvement in that, but I think the government has a lot to offer, and certainly can offer, to be that independent broker that helps by connecting the dots across industries."

Looking toward 2020, Kubic sees the application of machine learning and artificial intelligence to security as inexorable. With a shortage of knowledgeable workers, using analytics to sift through the massive data produced by companies and detect threats is critical, he says.

"On the cybersecurity side, the continued use of analytics, machine learning, and artificial intelligence will be important in securing our environments, but on the negative side, I think we will see a lot more adversary use of such technology to disguise their attacks, making it even harder for folks to defend their network," he says.

The majority of cybersecurity workers see machine learning and artificial intelligence as a positive benefit. A July 2018 report by the Ponemon Institute found 60% of respondents believed AI would help them enrich security information and simplify the detection and response to security threats. Only a third of respondents, however, thought the technology would reduce workload for security teams.

For companies overwhelmed with data, Kubic recommends the security team identify the truly critical data and systems and focus on making sure those are secure. 

"Not all assets are created equal," he says, "so you really need to sit down and understand what are those high-value assets that need to be protected better than the rest of the enterprise. That is either where you have your critical data stored or assets that are supporting your business' critical functions. It is not easy to map out those workflows, but without that it is hard to prioritize where you need to make investments in cybersecurity."

Most of all, companies need to do the basics right, he says. 

"In 2020, people need to stay focused on the basics of cyber hygiene," Kubic says. "It is the unpatched systems and unmitigated vulnerabilities that are the easy button for the cyber adversary. You cannot take your eye off the prize there."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Next Security Silicon Valley: Coming to a City Near You?"

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DouglasF354
100%
0%
DouglasF354,
User Rank: Author
12/13/2019 | 12:48:28 PM
Know your assets
The 'blue collar' control that is 'asset management' doesn't get the love it needs. And that critically undermines the CISO and the security program. The 'asset management' problem to cyber security is like the 'high blood pressure' problem that leads to stroke. It's quiet, often undetected, not discussed commensurate to the risk. And it's a security killer.
  1. The ability to do 'basic cyber hygiene' is undermined when it's difficult to get a proper fix on in-scope assets. Threats will find what you didn't.
  2. Of course, it costs more to be able to understand the asset-scape better. And that has been a difficult budget pitch and win for security. It's generally easier to win budget for that cool new tech than it is for what is perceived as general maintenance.
  3. More insidious is the strategic problem of connecting with executives and the board. Having robust asset inventories is tactically critical, but strategically the pitch needs to be focused on protection of big impact/ high value business assets. That is the bullseye to gain executive buy in. If you cannot robustly connect high value business assets strongly to the asset inventories, then you cannot confidently pitch a strong protection result to executives. And that undermines CISO success and confidence.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13777
PUBLISHED: 2020-06-04
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TL...
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.